The standard of working in an office is no longer the standard. Today, work from home, and all that it encompasses, is the new normal. In many ways, things haven’t changed. The focus for security is still the same: access, managing entitlements and controlling endpoints security expense. So, what does that mean now? And what does that mean in the next six months when people come back to a more typical work environment? Robert Meyers, compliance and privacy professional at One Identity, explains.
Digital transformation is the modern phenomena of enabling users to work from anywhere but as with access to all the same resources as if they were working in the office. It often refers to the concept of using cloud resources. Perhaps this transformation was something organisations were putting off; however, in the end, it happened with a sudden crush of additional work. But it happened. Thank you, global pandemic.
The forced digital transformation was done in such a way that IT departments worked like mad to make the changes that no longer could wait for tomorrow. To keep businesses running, things were done as rapidly as possible, not as securely as possible; not as automated as possible. Changes were done because they had to be.
During any digital transformation, there are four areas on which to focus. Namely:
- Remote access – getting users working remotely
- Managing entitlements – giving users the right to do things that they need to
- Securing endpoints
- Controlling costs
Let’s look at the four focus categories in more detail as it applies to dealing with the changes of today and in the future.
Remote Access
To keep business running, users need to have access. When we talk about remote access, we’re not just talking about giving somebody a VPN client. They need to have all the tools they need to access their workloads. That could be a multifactor authentication (MFA) system or a privileged access system for getting into admin tools or securing a remote access gateway of some form. It could also be tools to get into Azure, AWS or Google Cloud, and maybe even work directly on a database. In fact, it could be moving critical resources into the cloud so they can be accessed remotely.
The VPN client only goes so far. Not very long ago, the T and E series Internet connections were common. These included the T1, E1, and T3 for example. The problem is some organisations still hold them. Others go for bargain-basement Internet connections because all their workloads are on-prem. So remote access may not work with the VPN if a company has 500 users trying to connect into something that looks more like a coffee straw than a fast, wide pipe to the Internet. And that’s a normal reality.
Remote access needs to focus on giving workers the ability to work. Sometimes this is moving the workloads to remote physical locations, and sometimes this is moving the workload to remote services or infrastructure (i.e. cloud). Don’t focus on one over the other. Today, we have to deal with managing it the way that an organisation can most easily maintain it.
However, remember that time will cause change to occur. Many of these remote workers will be returning to offices. Some will return to factories. Others, who didn’t have access because they were furloughed, will also return, and some of those might actually end up being remote workers. So remember, when moving workloads, employees may need the ability to work on these workloads from the office as well. Plan for both.
Managing entitlements
Managing entitlements is a complicated concept. Many cut security out of it entirely. The goal in the past was to be flexible and fast but now things have changed. Now there is a distributed workforce using distributed technology. They’re trying to be resilient and flexible, but the lines of distinction between internal/external rights and security have inextricably blurred.
The entitlements that give users rights to do things need to be managed. And that means they need to be put into a format – such as true identity management or account management. Additionally, we have to automate processes.
Why is automation such a big piece of importance here? This dynamic environment that we are in today will change again. Furloughs will cease and users will return. When you have 5,000 users move to remote access in one day and another 5,000 have their accounts disabled on the same day – that’s a lot of work for IT. In addition, if you’re using traditional or manual processes to make these changes, this work is going to happen in a day. Most likely, it will take weeks.
Now think what happens when you have to undo that. Inevitably, it will be even more complicated than doing it in the first place.
Controlling entitlements is key, but it also has to be methodical and has to use automation. People make mistakes and they take shortcuts. If a person doesn’t have enough time to do a task and it was completed quickly, it means shortcuts were taken. When it comes to entitlements – particularly elevated rights that control applications and access or can access personal data or vital company assets – shortcuts are not an option if you want to stay truly compliant. So, when a company is returning to normal, automation is required to remove human error from the equation and to accelerate processes.
Secure Endpoints and Identity
Systems, such as PCs, laptops and mobile devices, that are issued to employees need to be secured. The problem is a lot of these machines are distributed, given to employees on a thumb drive as a virtual machine, without a thought of security. There has never been such a push to get people remote and operational as we’ve seen recently. But in the end, organisations must secure the endpoint.
Defining an endpoint to include workstations, tablets, and virtual machines running on personal computers is imperative. But this security needs to be extended to include a user’s identity and access, and management of cloud applications, because all of that needs to be secured as well.
Start with the physical endpoints, then get those mobile device management systems enrolling laptops and tablets. Deploy desktop-management tools to the desktops. Enable the helpdesk to actually help users. This is a significant issue right now. Systems are being sent out without a lot of the management tools that IT has used for years.
The visibility into these endpoints is significantly less than at any time since IT security became the norm. Visibility into access controls is also low. However, security has to be prioritised and implemented in the quickest and easiest way possible. In some cases, that MDM is going to be deployed by an email. The MFA is going to be given after a user connects into the VPN without it. Is that the best solution? No. However, if the machines have already been deployed, and users are already logging in, then a company needs to start layering in all the security they can immediately, not in six months.
Controlling Costs
There are interesting explosions of cost centers today. People are moving technology budgets around at an unprecedented pace right now. At the same time, everyone needs to focus on ways to control their costs. So how can you do this during such a chaotic time?
There are three areas you can focus on to control costs. The first is managing logs and SIEM; the second is managing license agreements; and the third is closely managing your migration to the cloud.
It’s interesting that logs come before licensing. Right now, there are a lot of new log sources being sent to SIEM. Remote access logs that went from 50 devices to 5,000 overnight. New web applications and services. Dramatically larger utilisation of auditing logs, possibly in Microsoft Office 365. And logs have to be taken more seriously today because users are out there and so is the data that needs protecting. But most SIEMs charge by the gigabyte per day. They often charge for how much data is stored. As security teams try to keep up with all these new streams of log data that organisations worry about a denial of service of their own SIEMs.
Another controllable cost is licensing. Why do so many organisations keep excess licensing? It is not uncommon to learn that an organisation has too many licenses for email, service desk systems “to be safe”. Those extra accounts should be de-provisioned and the license released. For those excess licenses running around, those should be released. Why do so many organisations waste money on licenses that are often purchased on a month-to-month basis? More and more services have gone to this service concept, which allows users to be added back in nearly seamlessly. So, organisations should plan to use this type of licensing when conditions move back to a more normal setting.
Lastly, in the controlling costs category, migrations to the cloud will happen, but they need to be the right migrations. There are a lot of services to help identify an infrastructure provider or SaaS provider that will be economically advantageous. Today, that should include an interface and ease-of-use. The key here is to reduce costs by putting the right workloads in the right cloud infrastructure. Use the right services to control those spiraling costs.
For example, escalating cost are those we normally haven’t seen in most businesses. In many organisations, IT spend is considered a pain point, and what happens is it’s strangled to the point where everything is behind. As an example, how many organisations are still basing their infrastructure off Windows Server 2008 R2 or Windows Server 2012 R2? Very few organisations have converted to either Windows 2016 or 2019 as the backbone of their infrastructure. When you talk to IT admins it’s always on the horizon. Just a year ago, it wasn’t uncommon to see people moving to 2012 R2. The argument is always about costs. But some of those more up-to-date operating systems have cloud interconnections. It is easier to move their workloads. So, sometimes controlling the cost means spending the right money, and that could be doing the right upgrades or buying the right tools to do a migration, and then doing the migration. Spend wisely, and always look for additional advantages with every purchase.
Digital Transformation
The digital transformation has truly occurred; and what’s going to come out of it? No one knows. It wasn’t controlled. It wasn’t planned. It happened. Now, we get to play catch up. When planning next steps, please remember to keep in mind the following:
Businesses need to focus on access, managing entitlements, securing endpoints and identities, and controlling costs. These focus areas should include what happens next. The world as it stands and business as it stands are not going to be the world we work in next year. Plan accordingly.
Robert Meyers is the Compliance and Privacy Professional and Channel Program Solutions Architect for One Identity. He is a thirty-year veteran of the Identity and Access Systems and Information Security industry, with more than 10 years of that time focused on planning, supporting and managing privacy programs, such as FERPA, HIPAA, GDPR and CCPA. His experience also includes leadership responsibilities for nearly one hundred mergers and acquisitions. Robert regularly speaks at events about privacy topics. His extensive certifications includes IAPP Fellow of Information Privacy, CIPP/E, CIPT and the ISACA CISM.